Keys and Certificates
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Keys and Certificates
To ensure trust between parties in a secure communication
session, Palo Alto Networks firewalls and Panorama use digital certificates.
Each certificate contains a cryptographic key to encrypt plaintext
or decrypt ciphertext. Each certificate also includes a digital
signature to authenticate the identity of the issuer. The issuer
must be in the list of trusted certificate authorities (CAs) of
the authenticating party. Optionally, the authenticating party verifies
the issuer did not revoke the certificate (see Certificate
Revocation).
Palo Alto Networks firewalls and Panorama use certificates in
the following applications:
- User authentication for Authentication Portal, multi-factor authentication (MFA), and web interface access to a firewall or Panorama.
- Device authentication for GlobalProtect VPN (remote user-to-site or large scale).
- Device authentication for IPSec site-to-site VPN with Internet Key Exchange (IKE).
- External dynamic list (EDL) validation.
- User-ID agent and TS agent access.
- Decrypting inbound and outbound SSL traffic.A firewall decrypts the traffic to apply policy rules, then re-encrypts it before forwarding the traffic to the final destination. For outbound traffic, the firewall acts as a forward proxy server, establishing an SSL/TLS connection to the destination server. To secure a connection between itself and the client, the firewall uses a signing certificate to automatically generate a copy of the destination server certificate.
The following table describes the keys and certificates that
Palo Alto Networks firewalls and Panorama use. As a best practice,
use different keys and certificates for each usage.
Key/Certificate Usage | Description |
---|---|
Administrative Access | Secure access to firewall or Panorama administration
interfaces (HTTPS access to the web interface) requires a server
certificate for the MGT interface (or a designated interface on
the dataplane if the firewall or Panorama does not use MGT) and,
optionally, a certificate to authenticate the administrator. |
Authentication Portal | In deployments where Authentication policy
identifies users who access HTTPS resources, designate a server
certificate for the Authentication Portal interface. If you configure
Authentication Portal to use certificates for identifying users
(instead of, or in addition to, interactive authentication), deploy
client certificates also. For more information on Authentication
Portal, see Map
IP Addresses to Usernames Using Authentication Portal. |
Forward Trust | For outbound SSL/TLS traffic, if a firewall
acting as a forward proxy trusts the CA that signed the certificate
of the destination server, the firewall uses the forward trust CA
certificate to generate a copy of the destination server certificate
to present to the client. To set the private key size, see Configure
the Key Size for SSL Forward Proxy Server Certificates. For
added security, store the key on a hardware security module (for
details, see Secure
Keys with a Hardware Security Module). |
Forward Untrust | For outbound SSL/TLS traffic, if a firewall
acting as a forward proxy does not trust the CA that signed the
certificate of the destination server, the firewall uses the forward
untrust CA certificate to generate a copy of the destination server
certificate to present to the client. |
SSL Inbound Inspection | The keys that decrypt inbound SSL/TLS traffic
for inspection and policy enforcement. For this application, import
onto the firewall a private key for each server that is subject
to SSL/TLS inbound inspection. See Configure
SSL Inbound Inspection. Beginning in PAN-OS 8.0,
firewalls use the Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE)
algorithm to perform strict certificate checking. This means that
if the firewall uses an intermediate certificate, you must reimport
the certificate from your web server to the firewall after you upgrade
to a PAN-OS 8.0 or later release and combine the server certificate
with the intermediate certificate (install a chained certificate).
Otherwise, SSL Inbound Inspection sessions that have an intermediate
certificate in the chain will fail. To install a chained certificate:
|
GlobalProtect | All interaction among GlobalProtect components occurs
over SSL/TLS connections. Therefore, as part of the GlobalProtect deployment,
deploy server certificates for all GlobalProtect portals, gateways,
and Mobile Security Managers. Optionally, deploy certificates for
authenticating users also. The GlobalProtect Large
Scale VPN (LSVPN) feature requires a CA signing certificate. |
Site-to-Site VPNs (IKE) | In a site-to-site IPSec VPN deployment,
peer devices use Internet Key Exchange (IKE) gateways to establish
a secure channel. IKE gateways use certificates or preshared keys
to authenticate the peers to each other. You configure and assign
the certificates or keys when defining an IKE gateway on a firewall.
See Site-to-Site
VPN Overview. |
Master Key | The firewall uses a master key to encrypt
all private keys and passwords. If your network requires a secure
location for storing private keys, you can use an encryption (wrapping)
key stored on a hardware security module (HSM) to encrypt the master
key. For details, see Encrypt
a Master Key Using an HSM. |
Secure Syslog | The certificate to enable secure connections
between the firewall and a syslog server. See Syslog
Field Descriptions. |
Trusted Root CA | The designation for a root certificate issued
by a CA that the firewall trusts. The firewall can use a self-signed
root CA certificate to automatically issue certificates for other
applications (for example, SSL
Forward Proxy). Also, if a firewall must establish
secure connections with other firewalls, the root CA that issues
their certificates must be in the list of trusted root CAs on the
firewall.
(Panorama managed firewalls) The Trusted Root
CA setting for a CA must be configured as part of
the template configuration, and not part of the template stack
configuration. If you configure the Trusted Root
CA setting for a CA as part of the template stack
configuration, the associated templates do not inherit the setting
for the CA. |
Inter-Device Communication | By default, Panorama, firewalls, and Log Collectors use a set of predefined certificates for the
SSL/TLS connections used for management and log forwarding. However,
you can enhance these connections by deploying custom certificates
to the devices in your deployment. These certificates can also be
used to secure the SSL/TLS connection between Panorama HA peers. |